Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2386

Legacy Kerberos in management, unable to configure fallback authentication.

    XMLWordPrintable

Details

    • Hide

      1. Setup kerberos for management interface (https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces)
      2. Configure <jaas> authentication as fallback

      standalone.xml
                  <security-realm name="FallBackKerberosRealm">
                <server-identities>
                    <kerberos>
                        <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab"/>
                    </kerberos>
                </server-identities>
                <authentication>
                    <kerberos/>
                    <jaas name="JBossTestDomain"/>
                </authentication>
            </security-realm>

      3. BASIC authentication is not performed with client which does not support SPNEGO

      [mchoma@localhost ~]$ curl http://localhost.localdomain:9990/management?operation=attribute&name=server-state
[mchoma@localhost ~]$ <html><head><title>Error</title></head><body>401 - Unauthorized</body></html>
      Show
      1. Setup kerberos for management interface ( https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces ) 2. Configure <jaas> authentication as fallback standalone.xml <security-realm name= "FallBackKerberosRealm" > <server-identities> <kerberos> <keytab principal= "HTTP/localhost.localdomain@JBOSS.ORG" path= "krb.keytab" /> </kerberos> </server-identities> <authentication> <kerberos/> <jaas name= "JBossTestDomain" /> </authentication> </security-realm> 3. BASIC authentication is not performed with client which does not support SPNEGO [mchoma@localhost ~]$ curl http: //localhost.localdomain:9990/management?operation=attribute&name=server-state [mchoma@localhost ~]$ <html><head><title>Error</title></head><body>401 - Unauthorized</body></html>

    Description

      In EAP 7.0 there was possible to configure fallback (e.g. BASIC) authentication, if client does not support SPNEGO authentication. In EAP 7.1 this feature does not work anymore.

      In EAP 7.0 server returns multiple chalanges (Negotiate/Basic) and client could choose which he will use.

      EAP 7.0
      HTTP/1.1 401 Unauthorized
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="FallBackKerberosRealm"
X-Frame-Options: SAMEORIGIN
Content-Length: 77
Content-Type: text/html
Date: Mon, 30 Jan 2017 11:02:45 GMT

<html><head><title>Error</title></head><body>401 - Unauthorized</body></html>

      In EAP 7.1 (with same configuration) server returns only one chalange - Negotiate so client not supporting SPNEGO, can't fallback to Basic.

      EAP 7.1
      HTTP/1.1 401 Unauthorized
Connection: keep-alive
WWW-Authenticate: Negotiate
X-Frame-Options: SAMEORIGIN
Content-Length: 77
Content-Type: text/html
Date: Mon, 30 Jan 2017 11:01:28 GMT

<html><head><title>Error</title></head><body>401 - Unauthorized</body></html>

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-8569 Legacy Kerberos in management, unable to configure fallback authentication.

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          is blocked by

          Task - Represents a small unit of work that is not end-user facing. WFCORE-2266 Ensure remaining legacy realm components have Elytron wrappers.

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: